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Although it is impossible for a bit commitment protocol to be both arbitrarily concealing and 
arbitrarily binding, it is possible for it to be both partially concealing and partially binding. This 
means that Bob cannot, prior to the beginning of the unveiling phase, find out everything about 
the bit committed, and Alice cannot, through actions taken after the end of the commitment phase, 
unveil whatever bit she desires. We determine upper bounds on the degrees of concealment and 
bindingness that can be achieved simultaneously in any bit commitment protocol, although it is 
unknown whether these can be saturated. We do, however, determine the maxima of these quantities 
in a restricted class of bit commitment protocols, namely those wherein all the systems that play a 
role in the commitment phase are supplied by Alice. We show that these maxima can be achieved 
using a protocol that requires Alice to prepare a pair of systems in an entangled state, submit one 
of the pair to Bob at the commitment phase, and the other at the unveiling phase. Finally, we 
determine the form of the trade-off that exists between the degree of concealment and the degree 
of bindingness given various assumptions about the purity and dimensionality of the states used in 
the protocol. 



I. INTRODUCTION 

Bit comniitnient(BC) is a cryptographic primitive in- 
volving two mistrustful parties, Alice and Bob, wherein 
one seeks to have Alice submit an encoded bit of infor- 
mation to Bob in such a way that Bob cannot reliably 
identify the bit before Alice decodes it for him, and Alice 
cannot reliably change the bit after she has submitted 
it. In other words, Bob is interested in binding Alice to 
some commitment, and Alice is interested in concealing 
this commitment from Bob. It is well known ||l|, j^] that 
a BC protocol that is both concealing and binding is im- 
possible Nonetheless, it is possible to devise a BC 
protocol that is both partially concealing and partially 
binding, that is, one wherein if Alice is honest then the 
probability that Bob can estimate her commitment cor- 
rectly is strictly less than 1, and if Bob is honest then the 
probability that Alice can unveil whatever bit she desires 
is strictly less than 1. This paper addresses the prob- 
lem of determining the optimal degrees of concealment 
and bindingness that can be achieved simultaneously in 
quantum bit commitment protocols. 

We establish an upper bound on the degrees of conceal- 
ment and bindingness for all BC protocols. It is unclear 
at this time whether or not this upper bound can be sat- 
urated. Nonetheless, we are able to provide a saturable 
upper bound for a more restricted class of BC protocols, 
namely protocols wherein Alice initially holds all of the 
systems that play a role in the commitment phase of the 
protocol. We also introduce a new kind of BC protocol 
that achieves this maximum. The protocol essentially 
consists of Alice preparing two systems in an entangled 
state, submitting one system to Bob at the commitment 



phase, and submitting the other system at the unveil- 
ing phase. We show that in such protocols the maximum 
achievable degree of bindingness is related in a simple way 
to the fidelity between the reduced density operators for 
the systems held by Bob at the end of the commitment 
phase. 

BC appears as a primitive in the protocols of many 
different cryptographic tasks between mistrustful parties. 
As such, the kinds of security that can be achieved in 
BC has implications for the kinds of security that can be 
achieved in these other tasks. In this paper we consider 
only the_iniplications of our results to the task of coin 
tossing 
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II. 



DEGREES OF CONCEALMENT AND 
BINDINGNESS 



A bit commitment protocol involves three phases, 
which are called the commitment phase, the holding 
phase and the unveiling phase. During the commitment 
phase, Alice and Bob engage in some number of rounds 
of communication, with at least one communication from 
Alice to Bob. The period after the end of the commit- 
ment phase and prior to the beginning of the unveiling 
phase is called the holding phase, and may be of arbi- 
trary duration. During the unveiling phase, there is again 
some number of rounds of communication, with at least 
one communication from Alice to Bob. At the end of 
the unveiling phase, an honest Bob performs a measure- 
ment that has three outcomes, labelled '0','!' and 'fail', 
corresponding respectively to Alice unveiling a 0, Alice 
unveiling a 1 and Alice being caught cheating. The pro- 
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tocol specifies the sequence of actions an lionest Alice 
performs in order to commit to a bit 6, and guarantees 
that if she follows the actions for committing a bit b then 
an honest Bob's measurement at the end of the unveiling 
phase yields the outcome b with certainty. 

To discuss the security of BC protocols, it is useful to 
introduce two quantities which we shall call Alice's con- 
trol and Bob's information gain. These quantities are de- 
fined under the assumption that the other party is honest, 
and depend on the sequence of actions performed by the 
party in question. Alice's control is meant to quantify the 
extent to which she can influence (after the commitment 
phase) the outcome of Bob's measurement beyond what 
she could accomplish by following the honest strategy. 
Bob's information gain is meant to quantify his ability 
to estimate Alice's commitment (prior to the unveiling 
phase) beyond what he could accomplish by following 
the honest strategy. 

We now present the specific measures of control and 
information gain which we make use of in this paper. We 
assume for simplicity that Bob has no prior information 
on which bit Alice has committed, and that Alice is as 
likely to wish to unveil a bit as she is to wish to unveil a 
bit 1. We take our measure of Bob's information gain for 
the strategy , which we denote by G (S^) , to be the 
difference between his probability of estimating Alice's 
commitment correctly when he implements and when 
he is honest, 

G{S^) ^Pe{S^)- 1/2. 

We take our measure of Alice's control for the strategy 
S^, which we denote by C (5"^) , to be the difference 
between her probability of unveiling whatever bit she de- 
sires when she implements and when she is honest, 

C{S^)^Pv{S^)- 1/2. 

It follows that G{S^) and G{S^) vary between and 
1/2. 

We quantify the degrees of concealment and binding- 
ness in a BC protocol by Bob's maximum information 
gain and Alice's maximum control, defined respectively 
by 

G"'^'^ = maxG(S'^), 
G'^'"' = maxG(S^). 

A protocol is said to be partially concealing if Bob's max- 
imum information gain is strictly less than complete in- 
formation gain, G™'*'^ < 1/2; it is said to be perfectly con- 
cealing if his information gain is zero, G"^'^^ — 0; finally, 
it is said to be arbitrarily concealing or simply concealing 
if his information gain can be made arbitrarily small by 
increasing the value of a security parameter N, that is, 
Qmax ^ where e^OasA^^oo[^. Similar definitions 
hold for the degrees of security against Alice. A protocol 
is said to be partially binding if Alice's maximal control is 



strictly less than complete control, G™^'^ < 1/2; it is said 
to be perfectly binding if her control is zero, G™^^ = 0; fi- 
nally, it is said to be arbitrarily binding or simply binding 
if her control can be made arbitrarily small by increasing 
the value of a security parameter N, that is, G"^^^ < S, 
where (5 ^ as iV oo. 

If a degree of security (such as concealment or bind- 
ingness) can be guaranteed by assuming only the laws of 
physics (and the integrity of a party's laboratory), then 
it is said to hold unconditionally. In this paper, we shall 
only be concerned with unconditional security. Thus, 
every time we assign some degree of security (such as 
concealment or bindingness) to a protocol, it is implied 
that the protocol has this feature unconditionally. 

To understand the degree to which a protocol can be 
made concealing or binding we must answer the following 
questions: 

• What is Bob's maximal information gain, and what 
strategy achieves this maximum? That is, find 
G™'''^, and find S'§^'' such that G(5|'^'^) = G""^"". 

• What is Alice's maximal control, and what strategy 
achieves this maximum? That is, find G"^^^, and 
find S'^^^'^ such that G(5^^'') = G'"'''^. 

In another paper we provide answers to these ques- 
tions for BC protocols that are generalizations of the 
BB84 BC protocol[^. In this paper, we provide the 
complete solution for a different type of BC protocol, 
which we call a purification BC protocol. 

The above questions involve an optimization over 
strategies. We will also be interested in optimizing over 
protocols. Specifically, we wish to answer the following 
question: 

• For a given class of protocols, what is the mini- 
mum Alice's maximum control can be made for a 
given value of Bob's maximum information gain, 
and which protocol in the class achieves this min- 
imum? In other words, denoting protocols by V, 
the given class of protocols by /C, and the subset of 
this class associated with G™'"'' by /C(G™''''), find 
min-p^fCi^G---) C"''"'' (V) and find V°p^ such that 
(jmi,^ (-popt) ^ minpeK:(G»-) C""^'' CP). 

If this question can be answered for every value of 
Qmax^ then one obtains a curve in the Gmax_(^max pj^ne. 
Moreover, if this curve is monotonically decreasing then 
it is identical to what would have been obtained by min- 
imizing Bob's maximum information gain for a given 
value of Alice's maximum control. In this case, we call 
the curve the optimal trade-off relation between C™'^^ 
and G"^^^. Specifying this relation for a given class of 
protocols is a convenient way of expressing the maxi- 
mum degrees of concealment and bindingness that can 
be achieved with such protocols. 

In this paper, we determine a lower bound on the op- 
timal trade-off relation between G™'^^ and G'"^'^ for all 
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BC protocols. Unfortunately, we have not determined 
whether this lower bound is saturable or not. However, 
we do find the optimal trade-ofF relation for a restricted 
class of BC protocols, which we call Alice- supplied BC 
protocols. The generalized BB84 BC protocols and the 
purification BC protocols mentioned above both fall into 
this class. In fact, we show that the purification BC pro- 
tocols are optimal within this class. These protocols will 
be defined precisely in the next section. 



III. BC PROTOCOLS 

In order to perform optimizations over all quantum BC 
protocols, it is necessary to have a completely general 
model of such protocols. We make use of the following 
model for cryptographic protocols implemented between 
two mistrustful parties [Q. The Hilbert space required to 
describe the protocol is the tensor product of the Hilbert 
spaces for all the systems that play a role in the protocol. 
Every action taken by a party in their laboratory corre- 
sponds to that party performing a unitary operation on 
the systems in their possession. Every communication 
corresponds to a party sending some subset of the sys- 
tems in their possession to the other party (it follows that 
the mere transmission of information from one party to 
the other does not change the quantum state of the total 
system, but does change the Hilbert space upon which 
the parties can implement their unitary operations). It 
is assumed that the total system is initially in a pure 
state. 

It has been previously argued Q that this model is 
completely general. It incorporates the possibility of ran- 
dom choices and measurements during the protocol, since 
these can always be kept at the quantum level until the 
end without any loss of generality. A random choice is 
performed at the quantum level by implementing a uni- 
tary transformation that is conditioned upon the state of 
an ancilla prepared initially in a superposition of states. 
Measurements are performed at the quantum level by 
unitarily coupling the system to be measured to an an- 
cilla that is prepared in some fixed initial pure state. 

In the case of BC, the most general protocol may in- 
volve many rounds of communication during the com- 
mitment phase. Denoting the number of rounds by n, 
denoting Alice's honest sequence of operations for com- 
mitting a bit b by {Wb,i, ■■■,Wb,n}, and denoting Bob's 
honest sequence of operations by {W{, W^}, the total 
unitary operation they jointly implement is 

Wb = W',^Wb,n ■ ■ ■ W^Wb,2W[Wb,l. 

The transmissions that occur in each round will deter- 
mine the Hilbert space over which Wb^i and W[ act non- 
trivially. Thus, despite the fact that we have assumed 
that Alice implements the first unitary operation, this 
operation could be trivial and it remains arbitrary which 
party is first to submit a sytem to the other party. If the 



initial state of all systems is denoted by IV'init) , then the 
state at the holding phase if both parties are honest is 

\,l;b) = Wb IV^init) . 

It follows that the reduced density operator for Bob's 
system at the holding phase, assuming both parties are 
honest, is 

Pb = Tr{\ipb) {i/JbD , 

where the trace is over all the systems that end up in 
Alice's possession at the holding phase. 

During the unveiling phase, a similar process occurs. 
Denoting the number of rounds by to, denoting Alice's 
honest sequence of operations given that she committed 
to bit b by {Vf„i, Vf,^„}, and denoting Bob's honest 
sequence of operations by {V/, V^}, the total unitary 
operation they jointly implement is 

Vb = v,[Vb,n---v^Vb^2v;Vb,i. 

Thus, if both parties are honest, the state of the total 
system at the end of the unveiling phase is 

\^r) ^ Vb \^b) ■ (1) 

The protocol ends with Bob performing a three-outcome 
projective measurement {Hg, Hi, Hfaii} on the systems in 
his possession. If both parties are honest, then whenever 
Alice commits to a bit 6, the measurement must have 
outcome b with probability 1. This implies that l^/^o"^) 
and IV'i"^) niust be orthogonal, 

and that IV'""^) niust be an eigenstate of H;, with eigen- 
value 1, 

ivr) = i^r) • (2) 

As mentioned earlier, we will be interested in a re- 
stricted class of BC protocols, which we call Alice- 
supplied BC protocols. These protocols impose no re- 
strictions on the details of the unveiling phase and may 
involve an arbitrary number of rounds of communication 
between Alice and Bob during the commitment phase. 
However, it is required that all of the systems that Bob 
makes use of during the commitment phase are supplied 
by Alice. The class of Alice-supplied BC protocols in- 
cludes the generalized BB84 BC protocols, defined in Ref. 

, as well as the purification BC protocols defined be- 
low. An example of a protocol that falls outside this 
class is one wherein at the beginning of the commitment 
phase Bob submits to Alice a system that is entangled 
with one he keeps in his possession, and Alice encodes her 
commitment in the unitary transformation she performs 
upon this system before resubmitting it to Bob. Another 
example of such a protocol is one wherein during the 
commitment phase Bob uses ancillas that Alice did not 
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supply in order to make a random choice or perform a 
measurement. 

We now provide a precise definition of a purification 
BC protocol. 

A purification BC protocol. Such a protocol makes 
use of just two systems, which we shall call the token 
system and the proof system (since one is the token of 
Alice's commitment and the other is the proof of her 
commitment). These are associated with Hilbert spaces 
Tip and Tit- A purification BC protocol also specifies two 
orthogonal states |xo) and defined on Hp($Ht- The 
honest actions are as follows. 

1. At the commitment phase, Alice prepares the two 
systems in the state \xb) in order to commit to bit 
b, and sends the token system to Bob. 

2. At the unveiling phase, Alice sends the proof sys- 
tem to Bob, and Bob performs a measurement 
of the projector- valued measure {Ho, Hi, Iltaii} , 
where Ub = \xb) {xb\ ■ 

So we see there is only a single communication from Al- 
ice to Bob during both the commitment and the unveiling 
phases. In the notation of the general model presented 
above, Wb transforms IV'init) to \^pb) = \xb) , and Vb ~ I 
so that 1^,""-) = \^b) = \Xb) ■ 

We call this a purification BC protocol, since at the 
unveiling phase an honest Alice is required to provide 
Bob with a purification of the state that he received from 
her during the commitment phase. 

IV. MEASURES OF DISTINGUISHABILITY 
FOR DENSITY OPERATORS 

Two measures of the distinguishability of density op- 
erators will be important in the present work: the trace 
distance and the fidelity, defined respectively bypl|] 

D{p,cr) = ^Tr\p-a\ , 

and 

where |^| = \/A^A. 

We will find the following relations between these two 
measures to be very useful. For any two density opera- 
tors, the fidelity and the trace distance satisfy]!^ 

l-F{p,cj)<D{p,cj), (3) 

and 

D{p,a) < ^l-F{p,af. (4) 

The second inequality is saturated for any pair of pure 
states, that is, 

D{\^),\X)) = ^1-F{\^)AX))\ (5) 



for all IV') and |x) ■ ^ stronger lower bound for the trace 
distance between p and a exists if one of the density 
operators is pure. Specifically, 

l^F{p,\rl:)f <D{p,m. (6) 

This stronger lower bound also applies to the mixed 
states of qubits. More precisely, we have the following 
result. 

Lemma 1 For pairs of density operators p, a whose sup- 
ports lie in a single 2-dimcnsional Hilbert space, 

\^F{p,cjf <D{p,g). 

The proof of this is presented in the appendix. All of 
the above inequalities can be saturated. Explicit exam- 
ples will be presented in section VI. 

Finally, we present some properties of the fidelity that 
will be useful for the present investigation. Uhlmann's 
theorem states that the fidelity between two density 
operators is equal to the overlap of two maximally par- 
allel purifications of these density operators. Thus, if p 
and a are density operators on a Hilbert space 7i, j?/;) 
and Ix) are arbitrary purifications of p and a on 7i' (g)7i, 
and C/ is a unitary transformation on 7i', then 

F(p,a) = max|(V'|t/®/|x)|. (7) 

Another critical property is given by the following 
lemma. 

Lemma 2 The fidelity satisfies 

max (f (p, af + F (p, ujf^ = 1 + F (a, w) . 

The proof of this can be found in the derivation of 
Eq.(|rTl) from Eq.(||) in section VI and by making use of 
Uhlmann's theorem. 



V. OPTIMIZING OVER ALL BC PROTOCOLS 

In this section, we demonstrate an upper bound on 
the simultaneous degrees of concealment and bindingness 
(hence a lower bound on G™^^ and C'™''^) for any BC 
protocol. It should be noted that the main ideas that go 
into the proof of this result are present in the work of 
Mayers and Lo and Chaug]. 

Theorem 1 In any BC protocol, 

i) > ii?(po,Pi), 

ii) > \F{p^,p^f. 
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Proof. We begin by proving (i). To analyze secu- 
rity against Bob, we assume that AUce is honest. Sup- 
pose that Bob uses a strategy wherein he acts honestly 
throughout the commitment phase. In this case, the 
state of the total system at the end of this phase will 
be l^po) or \tpi) , depending on Alice's commitment. The 
reduced density operators for Bob's system will be po or 
pi . Now suppose that during the holding phase Bob does 
the measurement which optimally discriminates between 
Po and pi. It is a well-known result of state estimation 
theory |l^ that his information gain in this case will 
be 

G=^D{po,pi). 

Bob's maximum information gain may be greater than 
this value, since it may be beneficial for him to also cheat 
during the commitment phase (for instance, if the re- 
duced density operators on Bob's systems are more eas- 
ily discriminated at some point during the commitment 
phase than they are at the holding phase). Bob's maxi- 
mum information gain cannot, however, be less than this 
bound. This establishes (i). 

We now prove (ii). To analyze security against Alice, 
we can assume that Bob is honest. Suppose that Al- 
ice uses the following strategy. During the commitment 
phase, she follows the honest protocol for committing a 
bit 0, so that the total system is in the state \ipo) at the 
holding phase. Thereafter, if Alice wishes to unveil a bit 
0, she acts honestly for the rest of the protocol, while if 
she wishes to unveil a bit 1, then she applies a unitary 
transformation JJ™'^^ to the systems in her possession just 
prior to the unveiling phase, and thereafter acts honestly, 
^max chosen such that 

(Vi|t/'"'^'^<8/|Vo) =nmx(^i|{7®/|Vo)- (8) 

The probability that Alice succeeds at unveiling a bit 
when she attempts to do so is unity, Pyo = 1: since she 
has simply followed the honest protocol for committing a 
0. The probability that Alice succeeds at unveiling a bit 
1 when she attempts to do so is 

Pui = Tr (u^Vi {U""^^ ® I) l^o) (^ol ([/'""'^^ ® I) V[) . 

Now since the state |V'™^) = Vi IV'i) is an eigenstate of 
Hi with eigenvalue 1 (see Eq.(^), one can write 

for some non- negative operator Fi, orthogonal to 

l^unvN, ^^unv| _ foUowS that 

Pui > i(^n^i(c^""'^®^)iV'o)i' 

Since we are assuming that Alice is equally likely to wish 
to unveil a as a 1, her probability of unveiling the bit 




Bob's Maximum Information Gain (G""^) 

FIG. 1: Curve I is a lower bound for the trade-off relation be- 
tween C™'''' and G™™ for any BC protocol. The other curves 
are the optimal trade-off relations for Alice-supplied BC under 
different restrictions on po and pi: (II) no restrictions; (III) 
both qubit states or not both mixed states; and (IV) both 
pure states. A, B, C and D correspond to the points along 
these curves where the protocol is fair, i.e. C"™™ = G'^'^^. 

of her choosing satisfies 

Recalling the definition of JJ'^^^ (Eq.(|8|)), and making use 
of Uhlniann's theorem (Eq.(^), we conclude that Alice's 
control for this particular strategy satisfies 

C>^F{po,pif. 

Alice's maximum control may be greater than this bound, 
since she may be able to cheat during the commitment 
and unveiling phases as well, but it cannot be less. This 
establishes (ii). □ 

It is common in quantum information theory to ques- 
tion the degree to which the sharing of prior entangle- 
ment enhances one's ability to perform information pro- 
cessing tasks. With this in mind it is perhaps interesting 
to note that the proof of Theorem 1 makes no restriction 
on IV'init)- Thus theorem 1 applies even if Alice and Bob 
share entangled states that they both trust prior to the 
initialization of the BC protocol. 

Corollary 1 In any BC protocol, the optimal trade-off 
between G™^^ and C'™'*'^ is a curve satisfying 

2G'max _^ y2C^ > 1. 

(the lower bound corresponds to curve I in Fig. 1). 
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Proof: This follows from Theorem 1 and Eq. (|3|). □ 

It is well-known |2| that it is impossible to have a 
BC protocol that is both arbitrarily concealing and ar- 
bitrarily binding, that is, one for which G"^^^ < e and 
(jmax g ^^j. arbitrarily small e and S. This clearly fol- 
lows from Corollary 1. However, Corollary 1 says more 
than this, since it also sets a lower bound on the extent 
to which any BC protocol can be partially concealing and 
partially binding. Thus, in addition to being able to rule 
out the possibility of a BC protocol with G"^'^^ and G"^'^^ 
arbitrarily close to the origin in Fig. 1, one can rule out 
the possibility of a BC protocol anywhere below curve I 
of Fig. 1. The best one can hope for is a BC protocol 
with 2G'^^'' + V2C^ = 1 (curve I of Fig. 1). In par- 
ticular, the best fair BC protocol one can hope for has 

In this paper, we do not settle the question of whether 
there exists a protocol for which Alice's maximal control 
and Bob's maximal information gain achieve the lower 
bounds of Theorem 1 simultaneously. Such a protocol 
would have to be such that Bob could not get any more 
information by cheating during the commitment phase 
than he can by cheating during the holding phase, and 
such that Alice could not get any more control by cheat- 
ing during the commitment phase or the unveiling phase 
than she can by cheating during the holding phase. It 
seems to us that such a protocol is unlikely to exist. 



VI. OPTIMIZING OVER ALICE-SUPPLIED BC 
PROTOCOLS 

A. Optimal degrees of concealment and 
bindingness 

The main results of this paper are: 
Theorem 2 In Alice-supplied BC protocols, 

i) G'"- > Id{po,Pi), 

> iF(po,Pi), 

and 

Theorem 3 Purification BC protocols saturate the 
bounds in Theorem 2. 



Proof of Theorem 2. Inequality (i) follows trivially 
from theorem 1, since if G"^'^^ > (po,pi) for all BC 
protocols then clearly G™^'^ (Po, Pi) for any Alice- 

supphed BC protocol. 

Inequality (ii) , on the other hand, is stronger than the- 
orem 1. To prove it, we must consider Alice's most gen- 
eral cheating strategy. Without loss of generality, we can 
assume that she keeps all of her cheating actions at the 
quantum level. During the commitment phase, Alice can 



cheat by implementing a sequence of unitary operations 
{14^1, . . . , Wji} different from the honest sequence. She 
can cheat at the end of the holding phase by implement- 
ing a unitary transformation Ub® I that depends on the 
bit b she would like to unveil. Finally, she can cheat dur- 
ing the unveiling phase by implementing a sequence of 
unitary operations {V^^i, . . . , Vf,^„} that depends on the 
bit b she would like to unveil and that is different from 
the honest sequence. The maximum probability of Alice 
unveiling the bit of her choosing is therefore given by 



rjmax 
MJ 



1 

— max 

2 {Wi,...,w„} 



E 



max max 

{V'i.,i>---,V'i,,„} ^1' 



where 



W 
14 



6e{o,i} 

TriUbVb {Ub ®I)W IV'init) (V'init 



W!^Wn---W2W2W[Wi, and 
Vyb,n---VJ,VbaVlVb,i. 



W and Vb are the total unitary operations that Alice and 
Bob jointly implement given that Bob is honest and Alice 
cheats. 

We begin by optimizing over Alice's cheating strategy 
during the commitment phase. It turns out that the as- 
sumption of an Alice-supplied protocol allows us to re- 
place the maximization over {Wi, . . . , Wn} by a maxi- 
mization over all unitary operations on the total system. 
This means that Alice has as much cheating power in an 
arbitrary Alice-supplied protocol as she does in a proto- 
col where Bob does not play any role in the commitment 
phase. The reason is that Alice can bring about any 
unitary operation W by implementing the sequence of 
operations 

Wi = {w^---w[y^w 

W, = / for i 7^ 1. 

This result only applies for Alice-supplied BC protocols, 
since Alice must initially have access to all the systems 
that will appear in the commitment phase in order to 
implement Wi. We can conclude that 



pinax 



— max max max 

&6{0,1} 



Tr{nbVb{Ub<E)I)W\ijinit){'^init\ 

We now consider the unveiling measurement. Eq.(|^) 
implies that the honest state at the end of the unveiling 
phase, IV'b"^) must be an eigenstate of lib. Thus, 
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for some non- negative operator F;,. It follows that 

u — 9 w ^ 



max max 
{14,1,..., Vb.„} '^i' 



f)G{0,l} 
^rin(C/b®/)M^|V'init 



Clearly the maximum over {Vb^i, . . . , Vb^„} must be 
greater than or equal to the value for {Vb^i, . . . , Vfc^„}, the 
honest sequence of operations for unveiling bit b. Thus, 

Pr'^ > I max n/ax | {i^riVb [Ub <E> I) Wlt.mt) f • 

&e{o,i} 

Since W varies over all unitary operators, we can write 
= W IV'init) and vary over all . Making use of the 
fact that IV'r") = \tpb) (Eq.(0)), we have 

P^'^^ijmax ^ max|(7^,|(C/b®/)|V')|'. (9) 

We perform the maximization over \ip) for a given Uq 
and J7i. By a variational approach, it is easy to show 
that the optimal lip) has the form (up to an arbitrary 
overall phase) 



1^" 



-iarg(('0o|)/'l)) 



V2J1 + 



where 



(10) 



It follows that 



> 2 (1 + ^fcf^ K^oi ^of^i ® ^ iV'i)! 



(11) 



Inequality (ii) now follows trivially from Uhlmann's the- 
orem and the definition of Alice's control. □ 

Proof of Theorem 3. Recall the definition of a 
purification BC protocol, provided in section III. If Alice 
is honest she prepares the proof-token composite in either 
Ixo) or \xi) and submits the token system to Bob. In 
this case, the reduced density operators po and pi that 
describe the token system are simply the trace over the 
proof system of \xo) and that is, 

Pb = Trp (Ixfc) {Xb\) ■ 

The only cheating strategy available to Bob is to try 
to estimate the state of the token system, that is, to 
discriminate po and pi. It follows from state estimation 
theory that his maximum information gain is G"^'^^ = 



{pq, pi) and is achieved by performing a Helstrom 
measurement ||lj, |l^ . 

Alice can cheat in two ways in a purification BC pro- 
tocol. She can cheat during the commitment phase by 
preparing the total system in a state lip) that is different 
from \xo) or |xi) , and she can cheat just prior to the 
unveiling phase by implementing a unitary operation Ub 
on the proof system. The identity of Ub can of course 
depend on which bit b she wishes to unveil. 

Recalling that Ilh = \xb) {Xb\ , Alice's maximum prob- 
ability of unveiling whatever bit she desires is 



r>max 



= max V i max \{xb\Ub(E)I 
\ip) i 
6e{o,i} 



Defining p = Tvp (|?/') ("01) and making use of Uhlmann's 
theorem, we obtain 



pmax 
MJ 



1 

= — max 
2 P 



(F{p,p^f + F{p,p^f 



It now follows trivially from Lemma 2 and the definition 
of the control that C"^^^ = {pQ, pi). Alice achieves 
this control by implementing any unitary operations Uq 
and Ui that satisfy UqUi = [Z^^'' where [/™ax -g (iggned 
in Eg . (|[) , and by initially preparing the state \tp"-^'^^) of 
Eq.(|ig) with IVfc) = \xb). □ 



B. Optimal trade-off relations 

Given theorem 3, it is straightforward to determine the 
optimal trade-off relations between G"^^^ and C'^'^^ for 
various restrictions on the states of Bob's system at the 
holding phase. 

Corollary 2 In Alice-supplied BC protocols where po 
and pi are arbitrary, the optimal trade-off is 



^max _j_ ^max 



1 



(This corresponds to curve II in Fig. 1). 

Proof. This follows from theorem 3 and Eq.(H). □ 

Corollary 3 In Alice-supplied BC protocols where po 
and pi either (1) have supports that lie in a single 
2 dimensional Hilbert space, or (2) are not both 
mixed, the optimal trade-off is 



^max _|_ 2^^max^2 



1 



(This corresponds to curve III in Fig. 1). 

Proof. This follows from theorem 3, Eq.(|6|) and 
Lemma 1. □ 
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Corollary 4 In Alice-supplied BC protocols where po 
and pi are both pure states, the optimal trade-off 



(This corresponds to curve IV in Fig. 1). 

Proof. This follows from theorem 3 and Eq.(^. □ 

We now provide simple examples of protocols that 
achieve the optimal trade-offs of Corollaries 2-4. 

To achieve the optimal trade-off of Corollary 2, it suf- 
fices to consider a purification BC protocol where po and 
pi saturate the inequality of Eq.(|). The simplest ex- 
ample makes use of commuting density operators in a 3 
dimensional Hilbert space. Specifically 



Po 




and pi 




1-A 
A 



It is straightforward to show that D{pQ,pi) = A and 
F[pq,pi) = 1 — A, which implies that Z3(po,Pi) + 
F{pq,pi) = 1. It is worth emphasizing that a 3 dimen- 
sional Hilbert space is the smallest space in which this 
bound can be saturated, since states in a 2 dimensional 
Hilbert space must satisfy lemma 1. 

We now provide a specific example of a family of pro- 
tocols that achieve the optimal trade-off of Corollary 3. 
We consider purification BC protocols wherein 



Po 



1 




and pi — 



A 
1 



A 



Note that this example qualifies both as an example 
where po and pi have supports that lie in the same 2 di- 
mensional Hilbert space, and as an example where one of 
Po and pi is pure. It is easy to see that D (po, pi) = 1 — A 
and F (po, pi) = v'A. Thus, we have saturated the lower 
bounds in Eq.(^) and lemma 1, and consequently, this 
family of protocols is optimal for the specified restric- 
tions on Po and pi. 

It is trivial to find BC protocols that achieve the opti- 
mal trade-off of Corollary 4. Any purification BC proto- 
col where po and pi are pure states will do. Specifically, 
if 

Po = |0) (0| and pi = 10) (01 , 



sin0 |1) , then one achieves every 
2 , .^max^2 _ 1 by varying 



where |0) — cos0 |0) 
point on the curve (C™'*'*^)^ + [G' 
over <j) in the range to tt/2. 

If we define a 'fair' BC protocol to be one where 
(jmayi _ (^max^ then by Substituting this identity into the 
trade-off relations presented above, we obtain the follow- 
ing results. The best fair BC protocol from among the 
class of Ahce-supplied BC protocols has C™'^^ = G'™^'' = 
0.25 (point A on Fig. 1). The best fair BC protocol from 



among the class of Alice-supplied BC protocols where po 
and pi are both qubit states or at least one of po and pi 

is pure has C""'*'' = G""^'' = ~ . 30902 (point B on 

Fig. 1). Finally, the best fair BC protocol from among 
the class of Alice-supplied BC protocols where po and pi 
are both pure states has C"°^'^ = G""'''' i^f - • ^^^^^ 
(point C on Fig. 1). 



VII. SIGNIFICANCE FOR COIN TOSSING 

We briefly discuss the relevance of these results to coin 
tossingl^, 0, Coin tossing(CT) is a cryptographic 

task wherein at the end of the protocol both parties 
decide, based on the outcome of their measurements, 
whether they have won, lost, or detected the other party 
cheating. If neither party is caught cheating, then the 
protocol must be such that the two parties agree on who 
won the coin toss. We can define a party's bias in a CT 
protocol as the difference between their probability of 
winning and 1/2. A CT protocol with maximum bias a 
for Alice and maximum bias [3 for Bob is one where if Bob 
is honest, the maximum Alice can make her probability 
of winning is ^ + a, and if Alice is honest, the maximum 
Bob can make his probability of winning is ^ -\- (3. CT 
can be built upon BC as follows. After the commitment 
phase. Bob sends Alice a bit which represents his guess 
of her commitment. If his guess corresponds to the bit 
Alice unveils, he wins the coin toss; if not, Alice wins. 
Our results show that it is possible to build a secure CT 
protocol for any pair of biases satisfying a + [3 > 1/2, 
and that this inequality can be saturated. In particular, 
a fair CT protocol with both biases equal to 0.25 can be 
built up in this way. 

Since CT is a weaker primitive than BC||l^, the im- 
possibility of a BC protocol that is arbitrarily concealing 
and binding does not imply the impossibility of a CT pro- 
tocol with arbitrarily small biases for both parties [p7[. 
Whether such a protocol is possible remains an open 
question in quantum cryptography. 

It should be noted that even if such a CT protocol 
does not exist, the fact that there exist CT protocols 
with bounded biases for both parties is still potentially 
very useful. For instance, these can provide protocols for 
gambling [p^ wherein both parties (the casino and the 
gambler) can be assured that their probability of winning 
is greater than some bound, regardless of the actions of 
the other party. 



VIII. RELATED OPTIMIZATION PROBLEMS 

The central result of this paper has been the maximiza- 
tion of Alice's control for certain BC protocols. However, 
Alice may wish to sacrifice some control in order to reduce 
her probability of being caught cheating. Specifically, if 
Alice assigns costs to the various outcomes of a BC proto- 
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col, then in order to optimize her costs she must know the 
minimum probabihty of being caught cheating for every 
possible degree of control. Since this probability quanti- 
fies the degree to which she has 'disturbed' the outcome 
of the protocol from what it would have been had she 
been honest, we may call the result of this optimization 
problem the control vs. disturbance relation. 

It is also interesting to consider a simple generaliza- 
tion of BC (which one might call 'integer commitment'), 
wherein Alice seeks to unveil one of a set of more than two 
integers (rather than just '0' or '1'), and to consider the 
generalization of the optimization problems mentionned 
above, namely, the problems of determining the maxi- 
mum probability that Alice can successfully unveil the 
integer of her choosing, and the minimal probability of 
being caught cheating for every possible probability of 
success. 

These optimization problems have obvious analogies 
in the context of quantum state estimation. When dis- 
criminating a set of states, one often seeks to determine 
both the maximum probability of correctly estimating 
the state (the maximum information gain) , as well as the 
minimum disturbance upon the system that is incurred 
for every possible degree of information gain (the infor- 
mation gain vs. disturbance relation). This suggests that 
it may be fruitful to pursue the analogy between the no- 
tions of control and information gain in more detail. In 
future work we hope to consider these optimization prob- 
lems in the context of purification BC protocols. 



IX. CONCLUSION 

We have studied the extent to which BC protocols can 
be made simultaneously both partially concealing and 
partially binding. The degrees of concealment and bind- 
ingness were quantified by Bob's maximum information 
gain about the bit committed and Alice's maximum con- 
trol over the bit she unveils. A lower bound on Alice's 
maximum control and Bob's maximum information gain 
for any BC protocol has been derived, although it is 
not known whether or not this bound can be saturated. 
A stronger lower bound was obtained for a restricted 
class of BC protocols, called 'Ahce-supplied' protocols, 
wherein Alice provides Bob with all of the systems that 
he makes use of during the commitment phase. Moreover, 
this lower bound has been shown to be saturated by what 
we have called a 'purification' BC protocol, wherein an 
honest Alice must prove her commitment to Bob by pro- 
viding him with a purification of the state she submitted 
to him during the commitment phase. 

We have also considered the trade-off between conceal- 
ment and bindingness for Alice-supplied BC protocols 
given different constraints on po a-nd pi (these are the 
states of the systems in Bob's possession during the hold- 
ing phase given commitments of and 1 respectively). 
Such constraints might arise from practical restrictions 
on the physical implementation of a BC protocol. We 



have shown that for BC protocols where po and pi have 
supports in a single 2D Hilbert space, or wherein po and 
pi are not both mixed, one cannot achieve the optimal 
trade-off relation (that is, the optimal degree of binding- 
ness for every degree of concealment). Using protocols 
wherein po and pi are both pure, one does even worse. 
The optimal trade-off for Alice-supplied BC protocols is 
(^max_j_(^max _ 1 ^g^^ j-^g achicvcd usiug a purification 

BC protocol wherein po and pi are mixed but commuting 
states of a 3-dimensional Hilbert space. 

The following question concerning the degrees of con- 
cealment and bindingness in BC protocols remains unan- 
swered: do there exist any BC protocols with a trade-off 
relation that is better than the linear trade-off relation 
^max _^ Qmi,^ = 1? In Order to settle this question, the 
scope of our analysis must be extended beyond Alice- 
supplied protocols. We conjecture that the linear trade- 
off is in fact the optimal trade-off from among all BC 
protocols. 

We end with some comments on the broader signifi- 
cance of the results of this paper. Alice's cheating strat- 
egy in a BC protocol is an example of a task that can be 
described as the preparation of quantum states at a re- 
mote location. There are many tasks of this sort, which 
differ in the constraints imposed upon the 'preparer'. 
These constraints may specify what is known about the 
state to be prepared, whether the parties involved in its 
implementation are cooperative or adversarial, and how 
much resource material is available, such as the num- 
ber of classical or quantum bits that can be exchanged, 
and the amount of prior entanglement the parties share. 
For instance, in purification BC protocols, Alice seeks to 
maximize her probability of remotely preparing one of 
two states of a bipartite system (which may be entan- 
gled), given that Bob is adversarial and given that she 
only learns which state she wishes to prepare after she 
has already submitted half of the system. (Equivalently, 
one may say that the states which Alice must remotely 
prepare are improper mixed states, and that she proves 
that she has done so by providing purifications of these 
states.) There has also been interest recently in a dif- 
ferent sort of task involving the preparation of quantum 
states at a remote location |19 . In this task, the par- 



ties are cooperative and the optimization problem to be 
solved is the minimization of the number of classical bits 
of communication asymptotically required to remotely 
prepare a state for a given amount of prior entanglement. 
Although this task has been called 'remote state prepa- 
ration', this term may be better suited as a label for all 
tasks involving the preparation of quantum states at a 
remote location, just as the term 'state estimation' refers 
to many tasks differing in the constraints imposed on the 
'estimator'. 

We feel that the general problem of remote state prepa- 
ration may be, in some sense, as fundamental in quan- 
tum mechanics as the general problem of state estima- 
tion. In particular, a greater understanding of remote 
state preparation may have significance for foundational 
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research. It has been proposed [gO| that the structure of 
quantum mechanics might be deduced from some simple 
information-theoretic principles, for instance, assump- 
tions about how well information can be gathered, ma- 
nipulated and stored in our universe. Critical to the pro- 
gram is determining the extent to which various infor- 
mation processing tasks can be successfully implemented 
using quantum resources. The implications of our results 
for various cryptographic tasks constitute a contribution 
to this endeavour. Ultimately however, the program re- 
quires understanding the success of all achievable tasks 
in terms of a few simple facts about information process- 
ing, for instance, facts about a few 'primitive' tasks. It 
has been speculated by Fuchs that the task of state es- 
timation is such a primitive. We add to this our own 



speculation, namely, that the task of preparing quantum 
states at a remote location is another such primitive. 

Note added. After the completion of this research the 
authors were informed [|l] of related results obtained by 
A. Ambainis on fair coin tossing protocols with bounded 
biases. 
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Appendix 

Proof of Lemma 1. The density operators for qubits 
can be represented by vectors on the Bloch sphere. If p 
and a are represented by vectors r and s, then in terms 
of these, the trace distance and fidelity squared can be 
written as [|ll|, |ll 



Defining r 
D + F^ 



If] ,s ~ \s\ and cos ( 
1 



s/rs, we have 



2rs cos ( 
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+ - (l + rscos(b+ J(l-r^)(l- s'^)) . and - ^2) (1 - s2) > (l - r) (1 + s) . Together, these 
2 V V VV J J ^^^^^ .^p^^ ^^^^ _^ ^^^^ > □ 

This is miniiiiized for = 0. Moreover, assuming (ar- 
bitrarily) that r > s, we have Vr'^ + s"^ — 2rs = r — s 



